First, the Shoreline Firewall is excellent. It was easy to set up and is easy to maintain. However, I have an urgent problem. In addition to the Shoreline Firewall, I''m running Exim in hub mode on my firewall box. All email going in and out goes through this box. Pretty much everything is OK, except I have a couple of domains that I cannot send mail to. If I''m on the firewall and I try to telnet to port 25 on the mx host for the mail domain, I get "network is unreachable". I can traceroute to the host in question. If I''m on a machine *inside* the firewall (on loc), I *can* telnet to port 25 on the mx host for the mail domain. Something is very odd. Although it only happens with a couple of domains, one of them is an important customer. Any light that can be shed will be greatly appreciated. Chris
On Wed, 8 May 2002, Chris Dollmont wrote:> First, the Shoreline Firewall is excellent. It was easy to set up and is > easy to maintain. > > However, I have an urgent problem. In addition to the Shoreline > Firewall, I''m running Exim in hub mode on my firewall box. All email > going in and out goes through this box. Pretty much everything is OK, > except I have a couple of domains that I cannot send mail to. > > If I''m on the firewall and I try to telnet to port 25 on the mx host for > the mail domain, I get "network is unreachable". I can traceroute to the > host in question. > > If I''m on a machine *inside* the firewall (on loc), I *can* telnet to > port 25 on the mx host for the mail domain. > > Something is very odd. Although it only happens with a couple of > domains, one of them is an important customer. > > Any light that can be shed will be greatly appreciated. >Try this -- create /etc/shorewall/start and add this to it: echo 0 > /proc/sys/net/ipv4/tcp_ecn then type echo 0 > /proc/sys/net/ipv4/tcp_ecn -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Wed, 8 May 2002, Tom Eastep wrote:> > > > Something is very odd. Although it only happens with a couple of > > domains, one of them is an important customer. > >And if my suggestion works, you might whisper to this important customer to get their act together. ECN is on standards track and they are going to be left out in the cold if they don''t get their routers and servers upgraded/configured to accept it. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
You were correct. Turning off ECN solved the problem. Can you give us a nutshell explanation of why? Chris On 5/8/02 at 4:09 PM, Tom Eastep said:>On Wed, 8 May 2002, Tom Eastep wrote: > >> > >> > Something is very odd. Although it only happens with a couple of >> > domains, one of them is an important customer. >> > > >And if my suggestion works, you might whisper to this importantcustomer>to get their act together. ECN is on standards track and they are going >to >be left out in the cold if they don''t get their routers and servers >upgraded/configured to accept it. > >-Tom >-- >Tom Eastep \ Shorewall - iptables made easy >AIM: tmeastep \ http://www.shorewall.net >ICQ: #60745924 \ teastep@shorewall.net > >
yOn Wed, 8 May 2002, Chris Dollmont wrote:> You were correct. Turning off ECN solved the problem. Can you give us a > nutshell explanation of why? >ECN ("Explicit Congestion Notification") is offered by setting a previously reserved bit in the TCP header of a SYN packet (First step of the 3-step TCP session initiation protocol). If the destination host (or in some cases, a router traversed on the way to the server) doesn''t recongnize ECN and thinks the flags are invalid, it will usually reject the connection request. The reason that you were able to connect from hosts behind the firewall is that those hosts were not setting the "ECN bit" in the SYN packet that they were sending. ECN was added to Linux in one of the 2.3 kernels and is enabled through a combination of a kernel-configuration option and the entry in /proc. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On 8 May 2002 at 17:15, Tom Eastep wrote:> ECN was added to Linux in one of the 2.3 kernels and is enabled through a > combination of a kernel-configuration option and the entry in /proc.Reading this list is just like going to college! ;-) ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/
John Andersen wrote:> On 8 May 2002 at 17:15, Tom Eastep wrote: > > > ECN was added to Linux in one of the 2.3 kernels and is enabled through a > > combination of a kernel-configuration option and the entry in /proc. > > Reading this list is just like going to college! > ;-)Just like college, only better: * it''s free * you don''t have to attend classes * the homework is optional * and as an added bonus, the homework is fun! :-) Paul http://paulgear.webhop.net